ASA and FTD Security Appliances Might Fail To Pass Traffic After 213 Days Of Uptime
I’ve recently had to work on sev1 case where suddenly one of my customers environment stopped responding to outside requests.
As the bug hits your security appliance the ARP will gradually clear and asp drop counter for Punt Rate Limit Exceeded will keep increasing.
What makes this bug even more difficult is not all services will be impacted right away. In my situation I was able to ssh to the impacted device but couldn’t find anything wrong. After a while my ssh session was dropped and at that moment I knew something weird is going on.
Console to the device to verify asp drop and up time to confirmed if you hit Cisco Bug CSCvd78303.
!Verify up time
ASA-Pri/admin/sec/act> sh ver | grep up
ASA-Pri up 224 days 16 hours
failover cluster up 4 years 334 days
!Verify asp drop increasing for Punt
ASA-Pri/admin/sec/act# sh asp drop | in Punt
Punt rate limit exceeded (punt-rate-limit) 225370
!Verify arp table to be empty(or almost)
ASA-Pri/admin/sec/act# sh arp
There are two ways mitigate the issue in case you are in the same boat.
If your security appliance is not passing the traffic due to the bug fastest approach will be to reload your device to clear up counter. Please make sure to write memory/copy run start before! Once appliance is back your services should return to normal.
Now, in order to mitigated the issue once and for all its time to plan the maintenance window to upgrade your firmware.
Please refer to Cisco upgrade path to find your fix release. Once you are done with an upgrade you should be good from now on.
Impacted Software Version(s) | Fixed Software Version(s) |
---|---|
FTD 6.1(0)1, 6.1(0)2 | FTD 6.1(0)3 or later |
FTD 6.2(0) | FTD 6.2(0)1 or later |
ASA 9.1(7)9, 9.1(7)11, 9.1(7)12, 9.1.(7)13, 9.1(7)15 | ASA 9.1(7)16 or later |
ASA 9.2(4)15, 9.2(4)17, 9.2(4)18 | ASA 9.2(4)20 or later |
ASA 9.4(3)6, 9.4(3)8, 9.4(3)11, 9.4(3)12, 9.4(4), 9.4(4)2 | ASA 9.4(4)5 or later |
ASA 9.5(3), 9.5(3)1, 9.5(3)2, 9.5(3)6 | ASA 9.6(3)1 or later |
ASA 9.6(2)1, 9.6(2)2, 9.6(2)3, 9.6(2)4, 9.6(2)7, 9.6(2)11, 9.6(2)13, 9.6(3) | ASA 9.6(3)1 or later |
ASA 9.7(1), 9.7(1)2 | ASA 9.7(1)4 or later |
Lastly, I strongly encourage for you to sign up for Cisco Notification Service to receive similar field notices in the future.
Regards,
Bart